Sample deliverable

Sample SOC 2 Gap Assessment Report

This is a representative excerpt of the report every Security Program Gap Assessment client receives — the same structure, the same depth, the same directness. It was prepared for Helios Metrics, Inc., a fictional 42-person B2B SaaS company; any resemblance to a real organization is coincidental. Read it to judge for yourself whether the deliverable is worth the fee.

Report section 1

Executive summary

Helios Metrics is at an overall readiness of 58% against the SOC 2 Security criteria. That is a normal place for a company of this size to start — and better than most teams three months into a Vanta deployment. The gaps split into two kinds: operational discipline — access reviews that have never been run, an incident response plan that has never been exercised, vendor risk that is untracked — and a handful of pointed technical exposures that are individually fast to fix but serious while they stand: active root-account access keys, single-region audit logging, and a live credential sitting in git history.

None of the findings below is unusual, and none is fatal. With focused effort, Helios can be ready for a Type I audit in approximately 10 weeks. For the Type II report the enterprise prospects require, the audit observation window (typically 3–6 months) should begin only after the Wave 1 and Wave 2 remediations are complete and producing evidence — starting the window early with known gaps would bake exceptions into the report.

The four actions that matter most right now:

  1. Delete the root-account access keys, extend CloudTrail to all regions, and revoke the credential found in git history (F-02, F-05) — hours of work, immediate risk reduction, and the kind of finding an attacker exploits long before an auditor notices.
  2. Establish and execute the access review and offboarding process (F-01) — this is the gap most likely to produce exceptions in the report.
  3. Define incident severity levels and run one tabletop exercise (F-03) — cheap to fix, disproportionately damaging to leave open.
  4. Stand up the vendor inventory and close the three missing DPAs (F-04) before an enterprise security review asks for them — prospects will ask before the auditor does.
Report section 2

Readiness scorecard by control domain

Scores reflect both control design and evidence readiness — a control that exists but produces no evidence scores as if it half-exists, because to an auditor it does.

Control domain Primary criteria Readiness Status
Data protection & encryptionCC6.6–CC6.775%Strong — minor evidence gaps
Governance & policiesCC1, CC570%Policies exist; tailoring needed (F-06)
Logical access controlCC6.1–CC6.365%Design gaps — reviews never executed (F-01); root keys & bastion exposure (F-02)
People & HR securityCC1.4–CC1.560%Onboarding solid; offboarding inconsistent (F-01)
System operations & monitoringCC7.1–CC7.260%Alerting in place; single-region CloudTrail (F-02); review cadence undocumented
Availability & resilienceA1, CC9.155%Backups tested; DR plan unwritten
Risk assessmentCC3.1–CC3.450%No formal risk register or annual assessment
Change managementCC8.145%PR review policy not enforced everywhere (F-05); approvals & rollback undocumented
Incident responseCC7.3–CC7.540%Plan exists on paper only (F-03)
Vendor & third-party managementCC9.235%No inventory, reviews, or DPA tracking (F-04)
Overall58%Type I achievable in ~10 weeks
Report section 3

Findings (excerpt — 6 of 14)

The full report documents every finding in this format. Each maps to the specific Trust Services Criteria an auditor will test, so nothing here is opinion without a consequence attached.

F-01 · Critical

Access reviews never performed; offboarding gaps

Observation. No user access review has been performed since company founding. Offboarding sampling found a contractor separated in March who retained active GitHub organization membership for 47 days, and an AWS IAM user with console access unused for 90+ days. Vanta's access review feature is enabled but no review has been initiated.

Why it matters (CC6.1–CC6.3 · CIS v8 Controls 5, 6). Access control is the most heavily sampled area of a SOC 2 audit. A terminated user with live access during the observation window is a near-certain exception — and the kind enterprise security reviewers ask about directly.

Guided remediation. Document an access review procedure (quarterly, system-scoped, with sign-off); run the first review now and remediate what it finds; add a same-day deprovisioning checklist to the Rippling offboarding workflow; enable Vanta's offboarding monitoring against the HRIS feed.

Effort: 2–3 weeks · Owner: Engineering lead + People Ops

F-02 · High

Cloud infrastructure configuration gaps

Observation. The AWS root account has two active access keys, one used by a deployment script last rotated 14 months ago. CloudTrail is enabled in us-east-1 only — activity in other regions is unlogged. One security group permits SSH (0.0.0.0/0, port 22) to a bastion host that MFA does not protect, and the S3 account-level public access block is not enforced (three buckets rely on per-bucket settings alone).

Why it matters (CC6.1, CC6.6, CC7.1 · CIS v8 Controls 4, 8, 12). Root-account access keys are the highest-privilege credential in the environment embedded in automation — a single leak is a full-environment compromise, and auditors flag it immediately. Single-region CloudTrail means the monitoring controls you'll claim in CC7.1 cannot be evidenced for most of the account surface.

Guided remediation. Delete the root access keys and move the deployment script to a scoped IAM role; convert CloudTrail to an all-region organization trail with log-file validation; restrict bastion SSH to VPN/identity-gated sources and enforce MFA; enable the account-wide S3 public access block. Vanta's AWS tests will confirm each fix automatically.

Effort: 2–3 days · Owner: Platform engineer

F-03 · High

Incident response plan exists on paper only

Observation. An incident response policy exists (template-derived) but has never been exercised. There is no severity classification, no defined communication path for customer-impacting incidents, and on-call responsibility is informal ("whoever sees it"). Two production incidents in the past year were resolved competently but produced no post-incident documentation.

Why it matters (CC7.3–CC7.5 · CIS v8 Control 17). Auditors test whether incidents are classified, escalated, and reviewed — an unexercised plan with no incident records reads as a control that does not operate. The two undocumented incidents are evidence that should exist and doesn't.

Guided remediation. Define a 4-level severity matrix with escalation and customer notification rules; run one tabletop exercise against a realistic scenario and record it; adopt a lightweight post-incident review template so every future incident produces evidence.

Effort: 1–2 weeks · Owner: CTO

F-04 · Medium

No vendor security review process

Observation. Helios uses 11 subprocessors with production-data access. There is no vendor inventory, no record of any security review, no DPA on file for 3 of the 11, and no assigned owner for vendor risk.

Why it matters (CC9.2 · CIS v8 Control 15). Vendor risk management is tested directly, and — more urgently for Helios — enterprise procurement teams request the subprocessor list and DPAs during security review. This gap will surface in the sales cycle before it surfaces in the audit.

Guided remediation. Build the vendor inventory in Vanta; tier vendors by data access; collect SOC 2 reports or security documentation for critical vendors annually; execute the three missing DPAs; assign vendor-risk ownership.

Effort: 2 weeks · Owner: COO

F-05 · Medium

Source-control platform not hardened

Observation. Branch protection is absent on 2 of 14 GitHub repositories, including one that deploys to production on merge. GitHub secret scanning and push protection are disabled org-wide, and a live third-party API key was found in the commit history of an archived repository (confirmed still valid during the assessment, revoked same day).

Why it matters (CC6.1, CC8.1 · CIS v8 Controls 4, 16). Unprotected production-deploying branches defeat the change-management control you'll claim under CC8.1 — the PR-review requirement is policy, not enforcement. A valid credential in git history is an active exposure, not a historical one: history is readable by every past and present collaborator.

Guided remediation. Enforce branch protection (required review + status checks) on all production-path repositories; enable org-wide secret scanning and push protection; sweep history for credentials with a scanning tool, rotate anything found, and document the rotation as evidence.

Effort: 2–3 days · Owner: Engineering lead

F-06 · Low

Template policies not tailored to the actual environment

Observation. The policy set was generated from templates and approved wholesale. The password policy references on-premises Active Directory (Helios has none); the data classification policy defines four levels that appear nowhere else in practice.

Why it matters (CC5.3 · CIS v8 requires enterprise-specific process documentation across most safeguards). Policies that describe systems you don't run signal to an auditor that policies aren't operationalized — it invites deeper sampling everywhere else. Low severity, but cheap credibility to reclaim.

Guided remediation. Tailor each policy to the real stack during the next review cycle; delete inapplicable sections rather than leaving them "just in case"; align the data classification levels with how data is actually labeled in practice.

Effort: 1 week, rolling · Owner: CTO

A finding without a path to fixed is just bad news. Every finding maps to both the SOC 2 Trust Services Criteria your auditor will test and the CIS Controls v8 safeguards that describe the underlying practice — and every remediation is written to be executed, not admired: specific mechanisms, effort, and owner. When clients continue into a Kickstart or readiness engagement, we implement these fixes alongside your team — configuration walkthroughs, evidence templates, and validation in your GRC platform — rather than handing you a to-do list and an invoice.

Report section 4

Remediation roadmap (excerpt)

The full roadmap sequences all 14 findings plus 9 smaller items into three waves, ordered so evidence starts accumulating as early as possible.

Wave Timeline Focus Key items
Wave 1 Weeks 1–2 Stop the bleeding Root-key removal, all-region CloudTrail, credential revocation (F-02, F-05); first access review + offboarding checklist (F-01); severity matrix (F-03)
Wave 2 Weeks 3–5 Make controls operate IR tabletop + post-incident template (F-03); vendor inventory, DPAs & tiering (F-04); branch protection + org-wide secret scanning (F-05); risk register stood up
Wave 3 Weeks 6–10 Evidence maturity Policy tailoring (F-06); DR plan written and walked through; monitoring review cadence documented; change-management approvals documented; Vanta failing tests cleared; Type I readiness check

After Wave 3, Helios is positioned for a Type I audit, and the Type II observation window can open with controls actually operating — which is what keeps exceptions out of the report the enterprise prospects will read.

What the full report adds

  • All 14 findings plus 9 minor observations, in the format above
  • Control-by-control mapping across every Common Criteria area, cross-mapped to CIS Controls v8
  • Complete evidence inventory — what exists, what's incomplete, what's missing
  • Effort-estimated roadmap for every item, sequenced into waves
  • Board/leadership executive summary as a standalone one-pager
  • Vanta configuration review with specific test-level fixes

About this sample

Helios Metrics, Inc. is a fictional company created to demonstrate the deliverable. The findings, numbers, and timelines are representative of what we typically see at this company size and stage — but every real report is built from your interviews, your evidence, and your environment. Nothing is templated except the structure.

Get this report for your company

The Security Program Gap Assessment is $4,950 fixed for a single framework, delivered in 2–3 weeks — and 100% credited toward a full readiness engagement within 60 days. Not ready for the full assessment? A $1,450 Security Health Check — a read-only snapshot of your GRC platform, or of your core controls and policies if you don't have one yet — is the smaller first step, fully credited if you upgrade.